Intrusion Detection recommendations

Sat Feb 14 00:48:44 UTC 2015

Hello Andy,
I believe you are very good set up the way you are in technology. I see you are surrounded by BSD systems everywhere, on servers, mobile and desktop. And I suggest you keep running FreeBSD for this new security requirement you have.
We run FreeBSD as IDS/IPS system on several sites, and pfSense on a couple others. From my experience, we started using Snort, the common path people usually follow, but under certain circumstances, the drop ratio (unprocessed packets) started to raise a lot, and we looked for options. Tried Bro and Suricata and with some help from one of our servers supplier we decided to give Suricata a tuning and special try, and it became our primary option for IDS.
Therefore I strongly suggest you start researching around Bro vs Snort vs Suricata and try to reach your conclusions from your own findings. But if you ask me for suggestion, as a long time user for Snort, I deprecated it in favor of Suricata. So my primary suggestion is Suricata + FreeBSD as IDP. Suricata is a very serious Project with very good software provided.
We run ServerU networking servers, and they are the vendor who supported us. Usually they offer their own software solution called ProApps, it's a system made on top of FreeBSD which you have full root access etc, a plain old good FreeBSD system, but with nice auto update features and a helpful web GUI which allows me to delegate IDS operations to different level of staff operators on my team. 
They allow using for their ProApps solution on ServerU hardware, so if intend to add new hardware to your project, it might worth a try. I find the tool very powerful and very complete.
On pfSense side you have a third party package made by community members, it also has a nice GUI, good deployment practices, but is Snort based. 
At one special location we needed even more performance for packets capturing, and we added Suricata running in Netmap mode, and it raised performance three times on the same box.
So if you are looking for something easy, ready and supported, go for ServerU+ProApps. If you are looking for plain good open source arranged the way want to, you can have just the same with FreeBSD + Suricata & Friends.
Should you want to do everything by yourself, FreeBSD + Suricata + Barnyard2 + Sguil + Snortsam is my suggested path way to go, with Richard Beijtlichs' books on your hand for good analysis learning and IDS best common operation practices. And maybe I can be of any help, private mail me if you want to.
Regards,
> From: andy at newslink.com
> Subject: Intrusion Detection recommendations
> Date: Fri, 13 Feb 2015 11:40:06 -0600
> To: nanog at nanog.org
> 
> NANOG'ers,
> 
> I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company.
> 
> We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes.
> 
> Initially, what do people recommend for:
> 
> 1. Crash course in intrusion detection as a whole
> 2. Suggestions or recommendations for intrusion detection hardware or software
> 3. Other things I'm likely overlooking
> 
> Thank you all in advance for your wisdom.
> 
> 
> ----
> Andy Ringsmuth
> andy at newslink.com
> News Link – Manager Technology & Facilities
> 2201 Winthrop Rd., Lincoln, NE 68502-4158
> (402) 475-6397    (402) 304-0083 cellular
>